bug 11302: support new CSP for SP2.

TB Done: conditional check to use --set vs --match-set
2011-11-01 17:52:46 -07:00 · 2011-11-01 17:52:46 -07:00 · f5eb82869b
parent 5164394949
commit f5eb82869b
1 changed files with 61 additions and 5 deletions
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@ -535,8 +535,30 @@ def destroy_ebtables_rules(vm_chain):
            util.pread2(['ebtables', '-t', 'nat', '-X', chain])
        except:
            util.SMlog("Ignoring failure to delete ebtables chain for vm " + vm_chain)   
+            
+    destroy_arptables_rules(vm_chain)

-         
+
+@echo
+def destroy_arptables_rules(vm_chain):
+    delcmd = "arptables -vL FORWARD | grep " + vm_chain + " sed 's/-i any//' | sed 's/-o any//' | awk '{print $1,$2,$3,$4}' "
+    delcmds = util.pread2(['/bin/bash', '-c', delcmd]).split('\n')
+    delcmds.pop()
+    for cmd in delcmds:
+        try:
+            dc = cmd.split(' ')
+            dc.insert(0, 'arptables')
+            dc.insert(1, '-D')
+            dc.insert(2, 'FORWARD')
+            util.pread2(dc)
+        except:
+            util.SMlog("Ignoring failure to delete arptables rules for vm " + vm_chain)
+    
+    try:
+        util.pread2(['arptables', '-F', vm_chain])
+        util.pread2(['arptables', '-X', vm_chain])
+    except:
+        util.SMlog("Ignoring failure to delete ebtables chain for vm " + vm_chain) 
              
@echo
 def default_ebtables_rules(vm_chain, vif, vm_ip, vm_mac):
@ -552,7 +574,7 @@ def default_ebtables_rules(vm_chain, vif, vm_ip, vm_mac):
                util.pread2(['ebtables', '-t',  'nat',  '-F', chain])
            except:
                util.SMlog("Failed to create ebtables nat rule, skipping")
-                return 'true'
+                return default_arptables_rules(vm_chain, vif, vm_ip, vm_mac)

    try:
        # -s ! 52:54:0:56:44:32 -j DROP 
@ -585,6 +607,40 @@ def default_ebtables_rules(vm_chain, vif, vm_ip, vm_mac):
        return 'false' 
    
    return 'true'
+    
+@echo
+def default_arptables_rules(vm_chain, vif, vm_ip, vm_mac):
+    try:
+        util.pread2(['arptables',  '-N', vm_chain])
+    except:
+        try:
+            util.pread2(['arptables', '-F', vm_chain])
+        except:
+            util.SMlog("Failed to create arptables rule, skipping")
+            return 'true'
+
+    try:
+        util.pread2(['arptables',  '-A', 'FORWARD', '-i',  vif, '-j', vm_chain])
+        util.pread2(['arptables',  '-A', 'FORWARD', '-o',  vif, '-j', vm_chain])
+    except:
+        util.SMlog("Failed to program default arptables rules in FORWARD chain vm=" + vm_chain)
+        return 'false'
+    
+    try:
+        util.pread2(['arptables',  '-A', vm_chain, '-i', vif, '--source-mac', '!', vm_mac, '-j', 'DROP'])
+        util.pread2(['arptables',  '-A', vm_chain, '-i', vif, '--source-ip', '!', vm_ip, '-j', 'DROP']) 
+        util.pread2(['arptables',  '-A', vm_chain, '-i', vif, '--opcode', 'Request',  '-j', 'ACCEPT'])   
+        util.pread2(['arptables',  '-A', vm_chain, '-i', vif, '--opcode', 'Reply', '-j', 'ACCEPT'])    
+        
+        util.pread2(['arptables',  '-A', vm_chain, '-o', vif, '--opcode', 'Request', '--destination-ip', vm_ip, '-j', 'ACCEPT'])   
+        util.pread2(['arptables',  '-A', vm_chain, '-o', vif, '--opcode', 'Reply', '--destination-mac', vm_mac, '-j', 'ACCEPT'])   
+        
+        util.pread2(['arptables',  '-A', vm_chain,  '-j', 'DROP'])    
+    except:
+        util.SMlog("Failed to program default arptables  rules")
+        return 'false'
+    
+    return 'true'

@echo
 def default_network_rules_systemvm(session, args):
@ -1113,14 +1169,14 @@ def network_rules(session, args):
                util.SMlog(" failed to create ipset for rule " + str(tokens))

            if protocol == 'all':
-                iptables = ['iptables', '-I', vmchain, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'src', '-j', 'ACCEPT']
+                iptables = ['iptables', '-I', vmchain, '-m', 'state', '--state', 'NEW', '-m', 'set', '--set', ipsetname, 'src', '-j', 'ACCEPT']
            elif protocol != 'icmp':
-                iptables = ['iptables', '-I', vmchain, '-p',  protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'src', '-j', 'ACCEPT']
+                iptables = ['iptables', '-I', vmchain, '-p',  protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-m', 'set', '--set', ipsetname, 'src', '-j', 'ACCEPT']
            else:
                range = start + "/" + end
                if start == "-1":
                    range = "any"
-                    iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range,  '-m', 'set', '--match-set', ipsetname, 'src', '-j', 'ACCEPT']
+                    iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range,  '-m', 'set', '--set', ipsetname, 'src', '-j', 'ACCEPT']
            cmds.append(iptables)
            util.SMlog(iptables)